gentoo auto-resync : 17:03:2023 - 06:26:48

2 files changed, 81 insertions, 0 deletions

diff --git a/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
new file mode 100644
index 000000000000..4d098b2231c7
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
@@ -0,0 +1,20 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 23b40b643..d93a357c6 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_statx
+ 	SC_DENY(__NR_statx, EACCES),
+ #endif
++#ifdef __NR_shmget
++	SC_DENY(__NR_shmget, EACCES),
++#endif
++#ifdef __NR_shmat
++	SC_DENY(__NR_shmat, EACCES),
++#endif
++#ifdef __NR_shmdt
++	SC_DENY(__NR_shmdt, EACCES),
++#endif
+ 
+ 	/* Syscalls to permit */
+ #ifdef __NR_brk
diff --git a/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch b/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch
new file mode 100644
index 000000000000..caccfd17c11d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch
@@ -0,0 +1,61 @@
+diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
+index 033f35763..efc387fa7 100644
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver)
+ 	if (headerver == libver)
+ 		return 1;
+ 
+-	/* for versions < 1.0.0, major,minor,fix,status must match */
+-	if (headerver < 0x1000000f) {
+-		mask = 0xfffff00fL; /* major,minor,fix,status */
+-		return (headerver & mask) == (libver & mask);
++	/*
++	 * For versions < 3.0.0, major,minor,status must match and library
++	 * fix version must be equal to or newer than the header.
++	 */
++	if (headerver < 0x3000000f) {
++		mask = 0xfff0000fL; /* major,minor,status */
++		hfix = (headerver & 0x000ff000) >> 12;
++		lfix = (libver & 0x000ff000) >> 12;
++		if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
++			return 1;
+ 	}
+ 
+ 	/*
+-	 * For versions >= 1.0.0, major,minor,status must match and library
+-	 * fix version must be equal to or newer than the header.
++	 * For versions >= 3.0.0, major must match and minor,status must be
++	 * equal to or greater than the header.
+ 	 */
+-	mask = 0xfff00000L; /* major,minor,status */
+-	hfix = (headerver & 0x000ff000) >> 12;
+-	lfix = (libver & 0x000ff000) >> 12;
++	mask = 0xf000000fL; /* major, status */
++	hfix = (headerver & 0x0ffffff0L) >> 12;
++	lfix = (libver & 0x0ffffff0L) >> 12;
+ 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
+ 		return 1;
+ 	return 0;
+diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
+index d50066609..60a8a4e6c 100644
+--- a/openbsd-compat/regress/opensslvertest.c
++++ b/openbsd-compat/regress/opensslvertest.c
+@@ -31,7 +31,7 @@ struct version_test {
+ 	{ 0x0090802fL, 0x0090804fL, 1},	/* newer library fix version: ok */
+ 	{ 0x0090802fL, 0x0090801fL, 1},	/* older library fix version: ok */
+ 	{ 0x0090802fL, 0x0090702fL, 0},	/* older library minor version: NO */
+-	{ 0x0090802fL, 0x0090902fL, 0},	/* newer library minor version: NO */
++	{ 0x0090802fL, 0x0090902fL, 1},	/* newer library minor version: ok */
+ 	{ 0x0090802fL, 0x0080802fL, 0},	/* older library major version: NO */
+ 	{ 0x0090802fL, 0x1000100fL, 0},	/* newer library major version: NO */
+ 
+@@ -41,7 +41,7 @@ struct version_test {
+ 	{ 0x1000101fL, 0x1000100fL, 1},	/* older library patch version: ok */
+ 	{ 0x1000101fL, 0x1000201fL, 1},	/* newer library fix version: ok */
+ 	{ 0x1000101fL, 0x1000001fL, 0},	/* older library fix version: NO */
+-	{ 0x1000101fL, 0x1010101fL, 0},	/* newer library minor version: NO */
++	{ 0x1000101fL, 0x1010101fL, 1},	/* newer library minor version: ok */
+ 	{ 0x1000101fL, 0x0000101fL, 0},	/* older library major version: NO */
+ 	{ 0x1000101fL, 0x2000101fL, 0},	/* newer library major version: NO */
+ };